Abstract
This article deals with operational attacks leaded against cryptographic tools. Problem is approached from several point of view, the goal being always to retrieve a maximum amount of information without resorting to intensive cryptanalysis. Therefore, focus will be set on errors, deliberate or not, from the implementation or the use of such tools, to information leakage. First, straight attacks on encryption keys are examined. They are searched in binary files, in memory, or in memory files (such as hibernation files). We also show how a bad initialization on a random generator sharply reduces key entropy, and how to negate this entropy by inserting backdoors. Then, we put ourselves in the place of an attacker confronted to cryptography. He must first detect such algorithms are used. Solutions for this problem are presented, to analyze binary files as well as communication streams. Sometimes, an attacker can only access encrypted streams, without having necessary tools to generate such a stream, and is unable to break the encryption used. In such situations, we notice that it often remains information leakages which appear to be clearly interesting. We show how classic methods used in network supervision, forensics and sociology while studying social networks bring pertinent information. We build for example sociograms able to reveal key elements of an organization, to determine the type of organization, etc. The final part puts in place the set of results obtained previously through the analysis of a closed network protocol. Packet format identification relies on the behavioural analysis of the program, once all the cryptographic elements have been identified.
Similar content being viewed by others
References
Shannon C.E.: Communication theory of secrecy systems. Bell Syst. Tech. J. 28, 656–715 (1949)
Filiol E.: La simulabilités tests statistiques. MISC Magazine, vol. 22. Diamond Publishing, London (2005)
Filiol E., Josse S.: A statistical model for viral detection undecidability. J. Comput. Virol. 3(EICAR 2007 Special Issue), 65–74 (2007)
Filiol, E.: Techniques virales avancées. Collection IRIS. Springer, Heidelberg (2007). An English translation is due beginning of 2009
National Institute of Standards and Technology, (NIST), T.: A statistical test suite for random and pseudorandom number generators for cryptographic applications (2001). http://csrc.nist.gov/publications/nistpubs/800-22/sp-800-22-051501.pdf
National Institute of Standards and Technology, (NIST), T.: Recommendation for random number generation using deterministic random bit generators (March 2007). http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March 2007.pdf
Shamir, A., van Someren, N.: Playing “hide and seek” with stored keys. Lecture Notes in Computer Science, vol. 1648, pp. 118–124 (1999)
Carrera, E.: Scanning data for entropy anomalies (May 2007). http://blog.dkbza.org/2007/05/scanning-data-for-entropy-anomalies.html
Carrera, E.: Scanning data for entropy anomalies ii (July 2007). http://blog.dkbza.org/2007/05/scanning-data-for-entropy-anomalies-ii.html
Bordes, A.: Secrets d’authentification windows. In: Proc. Symposium sur la S袵rités Technologies de l’Information et de la Communication (SSTIC) (June 2007). http://actes.sstic.org/SSTIC07/Authentification_Windows/
Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W.P.W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest We Remember: Cold Boot Attacks on Encryption Keys. Technical report, Princeton University (2008). http://citp.princeton.edu/memory/
Filiol, E.: New memory persistence threats. Virus Bull. 6–9 July, pp. 6–9 (2008). http://www.virusbtn.com
Provos, N.: Encrypting Virtual Memory. Technical report, University of Michigan (2000). http://www.openbsd.org/papers/swapencrypt.ps
Ruff, N., Suiche, M.: Enter sandman (why you should never go to sleep) (2007). http://sandman.msuiche.net/
Johnston, M.: Mac OS X stores login/keychain/filevault passwords on disk (June 2004). http://seclists.org/bugtraq/2004/Jun/0417.html
Appelbaum, J.: Loginwindow.app and Mac OS X (February 2008). http://seclists.org/bugtraq/2008/Feb/0442.html
Liston, T., Davidoff, S.: Cold memory forensics workshop. In: CanSecWest (2008)
Aumaitre, D.: A little journey inside windows memory. Journal in Computer Virology (to appear 2009) Also published in Proc. Symposium sur la Sécurité des Technologies de l’Information et de la Communication (SSTIC). http://www.sstic.org
Dorrendorf, L., Gutterman, Z., Pinkas, B.: Cryptanalysis of the random number generator of the windows operating system. Cryptology ePrint Archive, Report 2007/419 (2007). http://eprint.iacr.org/
Kortchinsky, K.: Cryptographie et reverse-engineering en environnement win32. In: Actes de la conférence SSTIC 2004, pp. 129–144 (2004). http://www.sstic.org
Chow, S., Eisen, P., Johnson, H., Van Oorschot, P.C.: White-box cryptography and an AES implementation. In: Proceedings of the Ninth Workshop on Selected Areas in Cryptography (SAC 2002) (2002). http://www.scs.carleton.ca/~paulv/papers/whiteaes.pre.ps
Jibz, Qwerton, Snaker, XineohP.: Peid. http://www.peid.info
Guilfanov, I.: Findcrypt (January 2007). http://www.hexblog.com/2006/01/findcrypt.html
Immunity, I.: Immunity debugger. http://www.immunitysec.com/products-immdbg.shtml
Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27, 379–423; 623 – 656 (1948)
Vernam G.S.: Cipher printing telegraph systems for secret wire and radio telegraphic communications. J. Am. Inst. Electr. Eng. 55, 109–115 (1926)
Filiol, E.: A family of probabilistic distinguishers for E0 (2009) (to appear)
Filiol, E.: Modèles booléens en cryptologie et en virologie (Boolean Models in Cryptology and Computer Virologie). PhD thesis, Habilitation Thesis, Université de Rennes (2007)
Filiol E.: Preuve de type zero knowledge de la cryptanalyse du chiffrement bluetooth. MISC Magazine, vol. 26. Diamond Publishing, London (2006)
Filiol, E.: Techniques de reconstruction en théorie des codes et en cryptographie (Reconstruction Techniques in Coding Theory and Cryptography). PhD thesis, École Polytechnique (2001)
Pilon, A.: Sécurité des secrets du poste nomade. MISC Magazine Hors série 1, Diamond Publishing, London (2007)
Aumaitre, D., Bedrune, J.B., Caillat, B.: Quelles traces se dissimulent malgré vous sur votre ordinateur? (February 2008). http://esec.fr.sogeti.com/FR/documents/seminaire/forensics.pdf
Bejtlich, R.: The Tao of Network Security Monitoring: Beyond Intrusion Detection. Addison–Wesley, Reading (2004)
Arcas G.: Network forensics: cherchez les traces sur le réseau. MISC Magazine, vol. 35. Diamond Publishing, London (2008)
Raynal F., Berthier Y., Biondi P., Kaminsky D.: Honeypot forensics, Part I: analyzing the network. IEEE Secur. Priv. J. 2(4), 72–78 (2004)
Raynal F., Berthier Y., Biondi P., Kaminsky D.: Honeypot forensics, Part II: analyzing the compromised host. IEEE Secur. Priv. J. 2(5), 77–80 (2004)
Barnes J.: Class and committees in a norwegian island parish. Hum. Relat. 7, 29–58 (1954)
Granovette M.: The strength of weak ties. Am. J. Sociol. 78, 1360–1380 (1973)
Burt R.: Structural Holes: The Social Structural of Competition. Harvard University Press, London (1992)
Raynal F., Filiol E.: La sécurité du wep. MISC Magazine, vol. 6. Diamond Publishing, London (2003)
Schneier B.: Secrets & Lies—Digital Security in a Networked World. Prentice-Hall PTR, Englewood Cliffs (2000)
Filiol, E.: Operational cryptanalysis of word and excel encryption. Technical report, Virology and Cryptology Laboratory (2008)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Bedrune, JB., Filiol, É. & Raynal, F. Cryptography: all-out attacks or how to attack cryptography without intensive cryptanalysis. J Comput Virol 6, 207–237 (2010). https://doi.org/10.1007/s11416-008-0117-x
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-008-0117-x